hassox/article.rb

## article.rb
class Article
  include DataMapper::Resource

  authorizable!
  authorize_with do
    with(:view      ).use(:Public, :ViewPublished, :Admin, :PublisherRole)
    with(:view_draft).use(:Owner, :PublisherRole, :Admin)
    with(:edit      ).use(:Owner, :Admin)
    with(:create    ).use(:Public)
    with(:delete    ).use(:Admin)
  end
end


## articles.rb
class Articles < Application
  authorize_resource! Article

  def index
    @articles = Article.all(:limit => 10)
    display @articles
  end

  def show(id)
    display @article
  end

  def draft(id)
    find_member
    raise Unauthorized unless authorized?(@article, :view_draft)
    display @article
  end

  def edit(id)
    display @article
  end

  def update(id, article)
    if @article.update_attributes(article)
      redirect resource(@article)
    else
      render :edit
    end
  end

  def create(article)
    @article = Articles.create(@article)
    if @article.new_record?
      render :new
    else
      redirect resource(@article)
    end
  end

  def destroy(id)
    @article.destroy
    redirect url(:articles)
  end


  private
  def find_member
    @post = Post.get(params[:id])
    raise NotFound unless @post
    @post
  end
end

## policies.rb
## Policies
module Merb::Authorization::Policies
  class Public < Policy
    def self.general_policy(user)
      true
    end
    def self.object_policy(user,object)
      object.responds_to?(:is_public?) ? object.is_public? : true
    end
  end

  class Admin < Policy
    def self.general_policy(user)
      user.is_admin?
    end

    def self.object_policy(user, object)
      general_policy(user)
    end
  end

  class ViewPublished < Policy
    def self.object_policy(user, object)
      return true unless object.responds_to(:is_published?)
      object.is_published?
    end
  end

  class PublisherRole < Policy
    def self.general_policy(user)
      user.has_role?("publisher")
    end

    def self.object_policy(user,obj)
      return true unless obj.respond_to?(:is_publishable?)
      user.has_role?("publisher") && obj.is_publishable?
    end
  end

  class Owner < Policy
    def self.object_policy(user, obj)
      return true unless obj.respond_to?(:owner)
      obj.owner == user
    end
  end
end
	class Article
	include DataMapper::Resource

	authorizable!
	authorize_with do
	with(:view ).use(:Public, :ViewPublished, :Admin, :PublisherRole)
	with(:view_draft).use(:Owner, :PublisherRole, :Admin)
	with(:edit ).use(:Owner, :Admin)
	with(:create ).use(:Public)
	with(:delete ).use(:Admin)
	end
	end
	class Articles < Application
	authorize_resource! Article

	def index
	@articles = Article.all(:limit => 10)
	display @articles
	end

	def show(id)
	display @article
	end

	def draft(id)
	find_member
	raise Unauthorized unless authorized?(@article, :view_draft)
	display @article
	end

	def edit(id)
	display @article
	end

	def update(id, article)
	if @article.update_attributes(article)
	redirect resource(@article)
	else
	render :edit
	end
	end

	def create(article)
	@article = Articles.create(@article)
	if @article.new_record?
	render :new
	else
	redirect resource(@article)
	end
	end

	def destroy(id)
	@article.destroy
	redirect url(:articles)
	end




	private
	def find_member
	@post = Post.get(params[:id])
	raise NotFound unless @post
	@post
	end
	end
	## Policies
	module Merb::Authorization::Policies
	class Public < Policy
	def self.general_policy(user)
	true
	end
	def self.object_policy(user,object)
	object.responds_to?(:is_public?) ? object.is_public? : true
	end
	end

	class Admin < Policy
	def self.general_policy(user)
	user.is_admin?
	end

	def self.object_policy(user, object)
	general_policy(user)
	end
	end

	class ViewPublished < Policy
	def self.object_policy(user, object)
	return true unless object.responds_to(:is_published?)
	object.is_published?
	end
	end

	class PublisherRole < Policy
	def self.general_policy(user)
	user.has_role?("publisher")
	end

	def self.object_policy(user,obj)
	return true unless obj.respond_to?(:is_publishable?)
	user.has_role?("publisher") && obj.is_publishable?
	end
	end

	class Owner < Policy
	def self.object_policy(user, obj)
	return true unless obj.respond_to?(:owner)
	obj.owner == user
	end
	end
	end